Tumblr's Big Gaping iOS Password Security Hole

Late last night Tumblr made a mysterious and cryptic plea to its iPhone and iPad app users, asking any persons who have ever logged in through the app to reset their passwords, because of a complete lack of password security.

Late last night Tumblr made a mysterious and cryptic plea to its iPhone and iPad app users, asking any persons who have ever logged in through the app to reset their passwords, because of a complete lack of password security. The message that went up last night, and into app streams of users didn't say much beyond, "We have just released a very important security update for our iPhone and iPad apps addressing an issue that allowed passwords to be compromised in certain circumstances¹." According to a security professional during an audit of iOS applications, Tumblr had neglected to use Secure Socket Layer to encrypt any and all iOS logins and passwords, which makes it incredibly easy to steal username-password combinations.

"It's such a huge and egregious error," Kevin O'Brien, an enterprise solutions architect for CloudLock, told the Atlantic Wire. "SSL is used to ensure that information is encrypted while it's being transmitted between, say, a computer and somewhere on the Internet," he explained. "Not having SSL enabled means that whenever their users were logging in, their passwords were transmitted in the clear." Indeed, as this image via The Register shows, both the username and password, circled in red below, went over the web's tubes in plain-text for any thief to take and see:

Someone can easily run what is called a "sniffer" to listen to the traffic and collect usernames and passwords. Tumblr confirmed in a footnote that certain passwords had been "sniffed." However, they had to have everyone change their logins, because it's hard to tell who got "sniffed."

It's pretty surprising that an app as big as Tumblr didn't have this kind of encryption. "It's a fundamental security practice that you should have," added O'Brien. It was recently discovered Android's backup services didn't have SSL, either. But, in cases like these, since there wasn't a breach and just a hole, it's possible that not too many passwords and usernames were stolen.

This article is from the archive of our partner The Wire.

We want to hear what you think about this article. Submit a letter to the editor or write to letters@theatlantic.com.